// For flags

CVE-2022-21703

Cross Site Request Forgery in Grafana

Severity Score

8.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Grafana is an open-source platform for monitoring and observability. Affected versions are subject to a cross site request forgery vulnerability which allows attackers to elevate their privileges by mounting cross-origin attacks against authenticated high-privilege Grafana users (for example, Editors or Admins). An attacker can exploit this vulnerability for privilege escalation by tricking an authenticated user into inviting the attacker as a new user with high privileges. Users are advised to upgrade as soon as possible. There are no known workarounds for this issue.

Grafana es una plataforma de código abierto para la monitorización y la observabilidad. Las versiones afectadas están sujetas a una vulnerabilidad de tipo cross site request forgery que permite a atacantes elevar sus privilegios al montar ataques de origen cruzado contra usuarios autenticados de Grafana con altos privilegios (por ejemplo, editores o administradores). Un atacante puede explotar esta vulnerabilidad para una elevación de privilegios al engañar a un usuario autenticado para que invite al atacante como un nuevo usuario con altos privilegios. Se recomienda a usuarios actualizar lo antes posible. No hay medidas de mitigación adicionales conocidas para este problema

A Cross-site request forgery (CSRF) vulnerability was found in Grafana. This flaw allows anonymous attackers to elevate their privileges by mounting cross-origin attacks against authenticated high-privilege Grafana users (for example, editors or admins). An attacker can exploit this vulnerability for privilege escalation by tricking an authenticated user into inviting the attacker as a new user with high privileges.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None
Attack Vector
Network
Attack Complexity
Medium
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2021-11-16 CVE Reserved
  • 2022-02-08 CVE Published
  • 2024-08-03 CVE Updated
  • 2024-09-14 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-352: Cross-Site Request Forgery (CSRF)
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Grafana
Search vendor "Grafana"
 Grafana
Search vendor "Grafana" for product "Grafana"
 >= 3.0.1 < 7.5.15
Search vendor "Grafana" for product "Grafana" and version " >= 3.0.1 < 7.5.15"
-
Affected
Grafana
Search vendor "Grafana"
 Grafana
Search vendor "Grafana" for product "Grafana"
 >= 8.0.0 < 8.3.5
Search vendor "Grafana" for product "Grafana" and version " >= 8.0.0 < 8.3.5"
-
Affected
Grafana
Search vendor "Grafana"
 Grafana
Search vendor "Grafana" for product "Grafana"
 3.0.0
Search vendor "Grafana" for product "Grafana" and version "3.0.0"
beta1
Affected
Grafana
Search vendor "Grafana"
 Grafana
Search vendor "Grafana" for product "Grafana"
 3.0.0
Search vendor "Grafana" for product "Grafana" and version "3.0.0"
beta2
Affected
Grafana
Search vendor "Grafana"
 Grafana
Search vendor "Grafana" for product "Grafana"
 3.0.0
Search vendor "Grafana" for product "Grafana" and version "3.0.0"
beta3
Affected
Grafana
Search vendor "Grafana"
 Grafana
Search vendor "Grafana" for product "Grafana"
 3.0.0
Search vendor "Grafana" for product "Grafana" and version "3.0.0"
beta4
Affected
Grafana
Search vendor "Grafana"
 Grafana
Search vendor "Grafana" for product "Grafana"
 3.0.0
Search vendor "Grafana" for product "Grafana" and version "3.0.0"
beta5
Affected
Grafana
Search vendor "Grafana"
 Grafana
Search vendor "Grafana" for product "Grafana"
 3.0.0
Search vendor "Grafana" for product "Grafana" and version "3.0.0"
beta6
Affected
Grafana
Search vendor "Grafana"
 Grafana
Search vendor "Grafana" for product "Grafana"
 3.0.0
Search vendor "Grafana" for product "Grafana" and version "3.0.0"
beta7
Affected
Netapp
Search vendor "Netapp"
 E-series Performance Analyzer
Search vendor "Netapp" for product "E-series Performance Analyzer"
 < 3.0
Search vendor "Netapp" for product "E-series Performance Analyzer" and version " < 3.0"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
 Fedora
Search vendor "Fedoraproject" for product "Fedora"
 34
Search vendor "Fedoraproject" for product "Fedora" and version "34"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
 Fedora
Search vendor "Fedoraproject" for product "Fedora"
 35
Search vendor "Fedoraproject" for product "Fedora" and version "35"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
 Fedora
Search vendor "Fedoraproject" for product "Fedora"
 36
Search vendor "Fedoraproject" for product "Fedora" and version "36"
-
Affected